Audit logging

Type of fraud control

This is a corrective fraud control. Corrective fraud controls respond to fraud after it has occurred. They help to reduce the consequences or disrupt further consequences.

decorative

Summary

Audit logging refers to system-generated audit trails of staff, client or third-party interactions that help with fraud investigations and deters fraud. This also includes IT audit trails. The Protective Security Policy Framework includes the government protective security policies that support this countermeasure.

Why this countermeasure matters

The prosecution must prove every element of an offence beyond reasonable doubt to convict someone. Poor or no audit logging may lead to:

  • difficultly in detecting, analysing, investigating and disrupting fraudulent activity
  • briefs of evidence being rejected by the Commonwealth Director of Public Prosecutions.

How to put this countermeasure in place

Some ways to implement this countermeasure include setting up audit logging by capturing information like:

  • access to production systems
  • changes to production data and who made the changes
  • access to sensitive information
  • access and use of high-risk accounts and transactions.

How to measure this countermeasure's effectiveness

Measure the effectiveness of this countermeasure by using the following methods.

  • Confirm that audit logging is switched on.
  • Confirm audit logging complies with the Australian Government Investigations Standards and other national guidelines and frameworks.
  • Consult with investigators about what evidence is required.
  • Review the logs to confirm they capture enough evidence to support an investigation.
  • Review the logs to confirm they capture meaningful information to support detection or an investigation.
  • Check the method of logging is reliable.
  • Confirm and test (if required) audit logs are stored securely.
  • Confirm that audit logs are available to investigators.
  • Confirm that audit logs cannot be switched-off, deleted or altered, even by staff with privileged access.
  • If audit logs can be altered, confirm that these actions are also logged and that copies of originals are retained.
  • Confirm that audit logs are retained as per the relevant records authority.
  • Conduct random and targeted reviews of audit logs.

Related countermeasures

This type of countermeasure is supported by:

System testing

Conduct system testing to identify vulnerabilities prior to release. Untested systems can allow vulnerabilities to be released when the system goes live.

Privileged access restrictions and monitoring

Limit and monitor privileged system accesses (those that allow staff, contractors and providers to perform special functions or override system and application controls). The Protective Security Policy Framework outlines the government protective security requirements to safeguard information from cyber threats, including to restrict administrative privileges.

Document capture and storage

Capture documents and other evidence for requests, claims and activities to detect, analyse, investigate and disrupt fraudulent activity.

Related Fraudster Personas

This countermeasure helps prevent, detect or respond to the following Fraudster Personas:

The Fabricator

The Fabricator invents or produces something that is false to dishonestly gain personal benefits.

The Concealer

The Concealer hides their actions from being seen or known about to dishonestly gain personal benefits.

The Exploiter

The Exploiter uses something for a wrongful purpose to dishonestly gain personal benefits.

The Impersonator

The Impersonator pretends they are another person or entity to dishonestly gain personal benefits.

The Deceiver

The Deceiver makes others believe something that is not true to dishonestly gain personal benefits.

Was this page helpful?